/**
 * 配置
 * */
package org.zmhhxl.user.configure;

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.AdviceMode;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
// 方法级权限控制
//@EnableGlobalMethodSecurity()  //已弃用        // @PreAuthorize("hasPermission(#permission)") 必须有spring-security-acl支持
@EnableMethodSecurity(mode = AdviceMode.PROXY, // 默认为PROXY AOP,ASPECTJ模式 例：https://github.com/spring-projects/spring-security-samples/blob/main/servlet/java-configuration/aspectj/src/main/java/sample/aspectj/AspectjSecurityConfig.java
      prePostEnabled = true,   // @PreAuthorize("hasRole('USER') && #username == authentication.principal.username"), @PostAuthorize("returnObject.owner == authentication.principal.username"), @PreFilter, @PostFilter, @PreDestroy
      securedEnabled = false,   // @Secured({"ROLE_USER"}),类似于@RolesAllowed,
      jsr250Enabled = false,   // @RolesAllowed({"USER", "ADMIN"}), @Authenticated, @DenyAll, @PermitAll,
      proxyTargetClass = false)
@Configuration(proxyBeanMethods = false)
@Slf4j
public class UserResourceServerConfig {

   @Autowired
   private JwtAuthenticationConverter jwtAuthenticationConverter;

   // @formatter:off
   @Bean
   SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
      //以下两种方法选择其一
      //第一种
      http.headers().httpStrictTransportSecurity().disable();

      http
//            .authorizeHttpRequests(authorize -> {
//               authorize
//                     .requestMatchers("/user/", "/user/**", "/actuator/**")
//                     .permitAll()
//                     .anyRequest().authenticated();})
            //.securityMatcher("/user/**")
            .authorizeHttpRequests()
            .requestMatchers("/user/find_by_username/*","/user/find_by_id/*").permitAll()
            .requestMatchers("/user/third_party/find_by_thirdparty_id/*/id/*","/user/third_party/find_by_id/*", "user/third_party/find_user_id_by_id/*").permitAll()
            .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
            //.requestMatchers("/user/**").hasAuthority("user") //不要SCOPE_  message.read  OAUTH2_USER
            .anyRequest().authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt(
                  jwt -> {
                     jwt.jwtAuthenticationConverter(jwtAuthenticationConverter);
//                       // .jwtAuthenticationConverter(jwtAuthenticationConverter1());
//                       .decoder(jwtDecoder);
                     Customizer.withDefaults();
                  }
            )
      ;

      return http.build();
   }
   // @formatter:on
}
